8 Common Cloud Misconfiguration Types (And How to Avoid Them)
Originally published by Vulcan Cyber here.
Written by Roy Horev, Vulcan Cyber.
Cloud misconfiguration refers to any errors, glitches, or gaps in the cloud environment that could pose a risk to valuable information and assets. It occurs when the cloud-based system is not correctly configured by the organization, leading to cyber exposures, security breaches, insider threats, or external hackers. These cloud-threat actors exploit vulnerabilities to gain access to the environment. These cloud misconfigurations result in companies exposing unencrypted or sensitive data to the public internet. This results in data leakage and downtime, which could lead to serious reputational damage and financial loss for the companies or government entities.
This blog will cover the impact of cloud misconfiguration, the most common types, and the steps you can take to avoid them.
Impact of cloud misconfiguration on system security
Misconfigurations in a cloud environment can provide attackers with unauthorized access to system functionality and sensitive data. For example, a misconfiguration in the database server could make data accessible through a basic web search, which could result in a major data breach. Cloud misconfigurations could even lead to complete compromise of system security and other severe consequences. The business impact of the specific misconfiguration depends on the severity of the misconfiguration, but resulting data breaches could cost the organization millions of dollars.
Let’s review some of the most common misconfigurations in the cloud environment.
1. Overly permissive access
A cloud environment is considered to be overly permissive when too many cloud access permissions are enabled. This could include:
- Enabling legacy protocols on the cloud host
- Exposing external-facing ports
- Exposing sensitive APIs without appropriate controls
- Enabling communication modes between private and public resources
The list of access controls is defined as policies that are applied to individual workloads or cloud subscriptions. Excessive permissions to access controls while configuring applications can provide attackers with a path to move vertically or laterally inside the system and increase the exposed attack surface.
2. Storage access misconfigurations
Another example of cloud misconfiguration is exposing storage assets to external actors. Many times, organizations confuse “authenticated” users with “authorized” users and thus mistakenly grant access to the “authenticated” users. These authenticated users could be any client or user with valid credentials, as they are authenticated with the AWS but are not authorized for your organization or application. A simple example of this is to allow access to a S3 bucket to all AWS users rather than all authorized users of the application. Access to storage buckets should be granted only within the organization.As a result of this cloud misconfiguration, cybercriminals may access the storage and find crucial information like API keys, passwords, and other credentials as they actively scan AWS S3 buckets and public GitHub repositories. Organizations should therefore be cautious when setting storage configurations to ensure cloud storage is not compromised or exposed. Security teams should enable strong encryption by default for crucial data in storage buckets, monitor all storage nodes labeled as public, and eliminate unnecessary permissions or exposed access.
3. Unrestricted inbound and outbound ports
All inbound ports that are open to the internet pose a potential security risk. When migrating to multi-cloud infrastructure, security teams should know the full range of open ports and restrict them to essential systems, locking down those that are not strictly necessary.
Not only do inbound ports pose security concerns, but outbound ports also create vulnerabilities through data exfiltration, lateral movement, and internal network scans when the system is being compromised. Granting access to a server from a public network or even from a network outside your VPN, through various modes such as RDP or SSH, is a common cloud misconfiguration that puts you at risk of data violation. Application servers should limit the outbound traffic to essential applications and servers only. Using the principle of least privilege, access to outbound ports should be restricted for SSH, as application servers rarely need to communicate over SSH to other remote servers in the network.
4. Unlimited access to non-HTTP/HTTPS ports
It is important to identify and check all open ports since system operations depend on these potentially vulnerable open ports. You should open the ports you absolutely need and block those you don’t need from the internet. Leaving these ports poorly configured provides an easy access point for attackers to exploit or brute-force the authentication. If these ports need to be opened to the internet, make sure the communication is encrypted and the traffic is restricted to specific addresses only.
5. Disabled or under-configured monitoring and logging
Even well-established organizations sometimes lack strict and robust monitoring and logging mechanisms. Logging and regular monitoring of activities on your cloud platform is crucial.
These logs can be useful for:
- Identifying suspicious actions and security blind spots
- Noticing employee’s unauthorized actions
- Having regular reports
- Identifying any other mistakes or misconfigurations
However, logs are only helpful if they are being continuously monitored in order to take the appropriate actions. Make sure that you have sufficient logs for every activity that could lead to a security breach. Implement automated and targeted alerts based on these logs so that any breach or suspicious activity can be identified and addressed before it results in a breach.
6. Default credentials for systems
Many development teams create default credentials for authentication to simplify the development process. For example, many teams have some default credentials for cloud instances, databases, and other services. These default credentials are usually easy to guess and/or known to too many. And while this should go without saying, none of these credentials or configurations should be used in production environments.
You should have different configuration files based on the development environment. Implementing a process to prevent default credentials from propagating to the production environment is key, as is auditing every release to ensure this process works.
7. Development settings in production environment
Another common misconfiguration is to use development settings in production environments. In most cases, the settings and configurations that were suitable for the development environment will not be appropriate for production environments, for a number of reasons.
For example, allowing incoming requests at any rate from any server may seem fine in development but can lead to major problems in the production environment. This also includes hidden code in applications. For instance, printing sensitive debugging information in the console may be easily overlooked and result in a major security breach in the production environment. You should therefore carefully review these code settings and set them correctly before deploying to the production environment.
8. Not following “safe” configurations for third-party components
Throughout the development process, we use various third-party libraries, components, and applications. While it is critical to conduct a comprehensive analysis when selecting the vendors for your various components, it is no less important to ensure you are following the best practices and configurations prescribed by them.
Most software vendors, whether commercial or open-source, will prescribe the best practices or recommended safe implementations that have undergone security testing on their end. Correctly implementing these best practices not only reduces the risk of a security breach but also increases the liability of these vendors in case a breach does in fact occur.
Thinking beyond cloud misconfiguration
Misconfigurations are one of the most common causes of security breaches in cloud environments. Even if you follow all the best practices in development, a simple misconfiguration‒if overlooked‒can compromise the security of your entire system. While it is critical to take the necessary precautions to prevent this, it is very difficult to create a system that is 100% secure. Still, by identifying and eliminating the cloud security vulnerabilities covered here, you can help minimize the security risks.
And, as with all areas of cyber risk, cloud security efforts should be centered around prioritizing and mitigating the threats most relevant to your business, directing your resources where they are most needed, and collaborating with teams to effectively reduce real cyber risk.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.